Obviously there is other issues around not sanitising the data yourself, but in the context of the reply - i.e. buffer overflows for arbitrary code exec - java is fully protected.
any access to an array is checked by the vm. -- Michael On 3/29/06, Eliah Kagan <[EMAIL PROTECTED]> wrote: > > On 3/29/06, Andrew van der Stock wrote: > > > This is not quite true. > > > > > > Java does not prevent integer overflows (it will not throw an > > > exception). So you still have to be careful about array indexes. > > On 3/28/06, [EMAIL PROTECTED] replied: > > No you dont. > > > > Arrays are all bounds checked; ..., that is, the following code will > > throw an exception: > > > > ================================ > > class Foo { > > static { > > int[] m = new int[2]; > > System.out.println(m[34]); > > } > > } > > ================================ > > > > > > What do you mean by "overflow"? Do you mean this? > > > > ================================ > > class Foo { > > static { > > int m = Integer.MAX_VALUE; > > int k = Integer.MAX_VALUE + Integer.MAX_VALUE; > > System.out.println(m); > > System.out.println(k); > > System.exit(0); > > } > > } > > ================================ > > > > if so, I don't see how that is an issue. > > > > -- Michael > > That is an issue in a limited way--if you are trying to access a > record with a high enough number (say by adding a number to a previous > array index), you might end up accessing a record with a low number, > which could potentially compromise the security of an application if > certain assumptions are made. But this would only be within the same > array that is already being accessed. The risk is minimal compared to > the risks of accessing past the end of an array in, say, C. > > Even with bounds checking, there is no general way for a programming > language to stop the programmer from writing a program that accesses > the wrong piece of data in within a data structure, causing a security > problem. Java was never designed to solve this sort of problem. Java > does abstract data access so that many common bugs like buffer > overflows are prevented, which is very useful. > > -Eliah > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php